Allow rule seems to get ignored on the first try

AlexForums · September 19, 2023, 6:25pm

Not sure, 00:a0:98:1d:e7:e5 is indeed my calling 192.168.3.15 device though. Same thing with 00:a0:98:12:46:a1 which is another Ubuntu VM testing environment (192.168.3.5).

I'll try using just a laptop connected to port 1 (VLAN) and see if that makes a difference.

I have restarted multiple times, and have also reset the router.

vgaetera · September 19, 2023, 6:30pm

Powering off, restarting, or reflashing may not be enough to flush the switch cache.
Make sure to unplug the power cord from the router for a few seconds.
If the issue persists, it may be caused by a specific built-in switch implementation.

trendy · September 19, 2023, 6:34pm

Since you mentioned VMs, are you certain that there is no network loop with the host machine connected on both networks?
Can you try to connect 2 simple computers and run the tests again?

Ramon · September 19, 2023, 6:49pm

R7800 i not DSA yet.
Is the interface definition of 'exposed' correct? In my config i defined multiple bridges then added the bridge to the interface instead of the eth 1.3. That seems to work for me

AlexForums · September 19, 2023, 8:52pm

I tested it with a laptop, and it behaves like it should, so it must be something with my TrueNAS configuration.

It has a NIC with two ports and an interface for each, and I was using one port (igb0) for normal LAN access, and the other (igb1) for VLAN access, which I assigned to some VMs to isolate them from the LAN.

Would this cause a network loop? I'm not very experienced with networking haha. Certainly seems likely though.
Now I'm trying to set it up with VLAN tagging, as TrueNAS allows you to setup VLAN interfaces with IDs etc., though I've had no luck thus far.

vgaetera · September 19, 2023, 9:05pm

Both ICMP echo request and reply arrive on the router as tagged VLAN 1:

AlexForums:

In 00:a0:98:1d:e7:e5 ethertype 802.1Q (0x8100), length 104: vlan 1
    192.168.3.15 > 192.168.1.21: ICMP echo request
...
In 00:25:90:2d:08:46 ethertype 802.1Q (0x8100), length 104: vlan 1
    192.168.1.21 > 192.168.3.15: ICMP echo reply

This looks like 192.168.1.21 and 192.168.3.15 are currently in the same VLAN 1.
Perhaps you are using the wrong virtual networking method.

slh · September 19, 2023, 11:15pm

That is normal for ipq806x, two CPU ports to the same switch, one exclusively for WAN, one exclusively for the LAN ports, to achieve full 1000 MBit/s full-duplex (in their proprietary NSS firmware) in- and out. All ports (including the CPU ports) are freely configurable as desired, the above is just the default config.

DSA support is ready, but unmerged so far: